New malware responsible for fraudulent withdrawals in ATMs with old Windows

Kaspersky Lab researchers have detected a new malware that security analysts believe to be responsible for the theft of money in automated teller machines that run old Windows operating systems. This as skimming criminals remain a major concern for the huge amount of money that they can steal.

According to researchers at Kaspersky, the ATM thieves originate from Eastern Europe, where card skimmers also abound. The criminals reportedly are using malware to perform their attacks on certain vulnerable ATMs, all without feigning a stolen credit or debit card. The Tyupkin malware is used to withdraw money from an ATM as smoothly as withdrawing using a legitimate card.

As a result of the collaboration between Kaspersky Lab and Interpol, it was found that more than 50 ATMs have been infected with Tyupkin, and those ATMs are running a 32-bit version of Windows. It is obvious, therefore, that the attackers are taking advantage of unknown security flaws in the ATM’s operating system using the Tyupkin malware.

The researchers further found that Tyupkin submissions are coming mostly from Russia while a small percentage originate from inside the continental United States. The investigation also yielded results that say there have been new enhancements to the variants of the banking malware, including an anti-debug and anti-emulation functions that work to evade detection by security software tools and malware scanners.

In addition to that, how else the Tyupkin malware works? For one, the attackers see to it that only they can have access to the money to be withdrawn, and excluding random users of an ATM. This is possible when an attacker configures the malware to do what it’s made for at a certain time in a day. The attacker would then enter a key to gain access to a target ATM. The key is the only tool with which the money can be withdrawn without a fake or even legitimate card.

The researchers noted:

When the key is entered correctly, the malware displays information on how much money is available in every cassette and allows an attacker with physical access to the ATM to withdraw 40 notes from the selected cassette.

The malware is to be uploaded to the ATM from a bootable CD and the malware dumps an executable and a debugging file into the ATM.

Now more than ever, it becomes urgent for banks to bolster the physical security of their ATM infrastructure and install higher end security software as old versions of Windows such as the Windows XP, which remains in use among the majority of ATMs worldwide, are scarcely or are no longer receiving security updates from Microsoft.